Document the remaining new privs

[solanum.git] / doc / reference.conf

/* doc/reference.conf - charybdis Example configuration file
 *
 * Copyright (C) 2000-2002 Hybrid Development Team
 * Copyright (C) 2002-2005 ircd-ratbox development team
 * Copyright (C) 2005-2006 charybdis development team
 *
 * Written by ejb, wcampbel, db, leeh and others
 *
 */

/* IMPORTANT NOTES:
 *
 * class {} blocks MUST be specified before anything that uses them.  That
 * means they must be defined before auth {} and before connect {}.
 *
 * auth {} blocks MUST be specified in order of precedence.  The first one
 * that matches a user will be used.  So place spoofs first, then specials,
 * then general access, then restricted.
 *
 * privset {} blocks MUST be specified before anything that uses them.  That
 * means they must be defined before operator {}.
 *
 * Both shell style (#) and C style comments are supported.
 *
 * Files may be included by either:
 *        .include "filename"
 *        .include <filename>
 *
 * Times/durations are written as:
 *        12 hours 30 minutes 1 second
 *
 * Valid units of time:
 *        month, week, day, hour, minute, second
 *
 * Valid units of size:
 *        megabyte/mbyte/mb, kilobyte/kbyte/kb, byte
 *
 * Sizes and times may be singular or plural.
 */

/* Extensions:
 *
 * Charybdis contains several extensions that are not enabled by default.
 * To use them, uncomment the lines below.
 *
 * Channel mode +-A (admin only)                     -- chm_adminonly
 * Channel mode +-T (blocks notices)                 -- chm_nonotice
 * Channel mode +-O (oper only)                      -- chm_operonly
 * Channel mode +-S (ssl only)                       -- chm_sslonly
 * Emulates channel mode +-O (oper only) (+-iI $o)   -- chm_operonly_compat
 * Emulates channel mode +-R (quiet unreg) (+-q $~a) -- chm_quietunreg_compat
 * Emulates channel mode +-S (ssl only) (+-b $~z)    -- chm_sslonly_compat
 * Channel mode +-M (disallow KICK on IRC ops)       -- chm_operpeace
 * Restrict channel creation to logged in users      -- createauthonly
 * Account bans (+b $a[:mask])                       -- extb_account
 * Banned from another channel (+b $j:mask)          -- extb_canjoin
 * Other-channel bans (+b $c:mask)                   -- extb_channel
 * Combination extbans                               -- extb_combi
 * Extended ban (+b $x:mask)                         -- extb_extgecos
 * Hostmask bans (for combination extbans)           -- extb_hostmask
 * Oper bans (+b $o)                                 -- extb_oper
 * Realname (gecos) bans (+b $r:mask)                -- extb_realname
 * Server bans (+b $s:mask)                          -- extb_server
 * SSL bans (+b $z)                                  -- extb_ssl
 * User mode bans (+b $u:modes)                      -- extb_usermode
 * Helpops system (umode +H)                         -- helpops
 * HURT system                                       -- hurt
 * New host mangling (umode +x)                      -- ip_cloaking_4.0
 * Old host mangling (umode +h)                      -- ip_cloaking
 * Dynamically extend channel limits                 -- m_extendchans
 * Find channel forwards                             -- m_findforwards
 * /identify support                                 -- m_identify
 * /locops support                                   -- m_locops
 * Opers cannot be invisible (umode +i)              -- no_oper_invis
 * Far connection notices (snomask +F)               -- sno_farconnect
 * Remote k/d/x line active notices                  -- sno_globalkline
 * Remote oper up notices                            -- sno_globaloper
 * Global nick-change notices                        -- sno_globalnickchange
 * /whois notifications (snomask +W)                 -- sno_whois
 * Oper-override (modehacking only)                  -- override
 * Stop services kills                               -- no_kill_services
 */
#loadmodule "extensions/chm_adminonly";
#loadmodule "extensions/chm_nonotice";
#loadmodule "extensions/chm_operonly";
#loadmodule "extensions/chm_sslonly";
#loadmodule "extensions/chm_operonly_compat";
#loadmodule "extensions/chm_quietunreg_compat";
#loadmodule "extensions/chm_sslonly_compat";
#loadmodule "extensions/chm_operpeace";
#loadmodule "extensions/createauthonly";
#loadmodule "extensions/extb_account";
#loadmodule "extensions/extb_canjoin";
#loadmodule "extensions/extb_channel";
#loadmodule "extensions/extb_combi";
#loadmodule "extensions/extb_extgecos";
#loadmodule "extensions/extb_hostmask";
#loadmodule "extensions/extb_oper";
#loadmodule "extensions/extb_realname";
#loadmodule "extensions/extb_server";
#loadmodule "extensions/extb_ssl";
#loadmodule "extensions/extb_usermode";
#loadmodule "extensions/helpops";
#loadmodule "extensions/hurt";
#loadmodule "extensions/ip_cloaking_4.0";
#loadmodule "extensions/ip_cloaking";
#loadmodule "extensions/m_extendchans";
#loadmodule "extensions/m_findforwards";
#loadmodule "extensions/m_identify";
#loadmodule "extensions/m_locops";
#loadmodule "extensions/no_oper_invis";
#loadmodule "extensions/sno_farconnect";
#loadmodule "extensions/sno_globalkline";
#loadmodule "extensions/sno_globalnickchange";
#loadmodule "extensions/sno_globaloper";
#loadmodule "extensions/sno_whois";
#loadmodule "extensions/override";
#loadmodule "extensions/no_kill_services";

/* serverinfo {}:  Contains information about the server. (OLD M:) */
serverinfo {
        /* name: the name of our server */
        name = "hades.arpa";

        /* sid: the unique server id of our server.  This must be three
         * characters long.  The first character must be a digit [0-9], the
         * remaining two chars may be letters [A-Z] or digits [0-9].
         *
         * This parameter must be specified for the server to start.
         */
        sid = "42X";

        /* description: the description of our server.  '[' and ']' may not
         * be used here for compatibility with older servers.
         */
        description = "charybdis test server";

        /* network info: the name and description of the network this server
         * is on.  Shown in the 005 reply and used with serverhiding.
         */
        network_name = "MyNet";

        /* vhost: the IP to bind to when we connect outward to ipv4 servers.
         * This should be an ipv4 IP only.
         */
        #vhost = "192.0.2.6";

        /* vhost6: the IP to bind to when we connect outward to ipv6 servers.
         * This should be an ipv6 IP only.
         */
        #vhost6 = "2001:db8:2::6";

        /* ssl_cert: certificate (and optionally key) for our ssl server */
        ssl_cert = "etc/ssl.pem";

        /* ssl_private_key: our ssl private key (if not contained in ssl_cert file) */
        #ssl_private_key = "etc/ssl.key";

        /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 2048 */
        /* If you do not provide parameters, some TLS backends will fail on DHE- ciphers,
           and some will succeed but use weak, common DH groups! */
        ssl_dh_params = "etc/dh.pem";

        /* ssl_cipher_list: A list of ciphers, dependent on your TLS backend */
        #ssl_cipher_list = "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL";

        /* ssld_count: number of ssld processes you want to start, if you
         * have a really busy server, using N-1 where N is the number of
         * cpu/cpu cores you have might be useful. A number greater than one
         * can also be useful in case of bugs in ssld and because ssld needs
         * two file descriptors per SSL connection.
         */
        ssld_count = 1;

        /* default max clients: the default maximum number of clients
         * allowed to connect.  This can be changed once ircd has started by
         * issuing:
         *   /quote set maxclients <limit>
         */
        default_max_clients = 1024;

        /* nicklen: enforced nickname length (for this server only; must not
         * be longer than the maximum length set while building).
         */
        nicklen = 30;
};

/* admin {}: contains admin information about the server. (OLD A:) */
admin {
        name = "Smurf target";
        description = "Main Server Administrator";
        email = "<syn@packets.r.us>";
};

/* log {}: contains information about logfiles. */
log {
        /* logfiles: the logfiles to use for specific activity.  if these
         * paths are defined, then ircd will log to them, otherwise it wont.
         *
         * The confs are, in order:
         * - userlog:    user exits
         * - fuserlog:   failed user connections
         * - operlog:    /oper usage
         * - foperlog:   failed /oper usage
         * - serverlog:  server connects/disconnects
         * - klinelog:   klines, etc
         * - killlog:    kills
         * - operspylog: operspy usage
         * - ioerrorlog: IO errors
         */
        fname_userlog = "logs/userlog";
        #fname_fuserlog = "logs/fuserlog";
        fname_operlog = "logs/operlog";
        #fname_foperlog = "logs/foperlog";
        fname_serverlog = "logs/serverlog";
        #fname_klinelog = "logs/klinelog";
        fname_killlog = "logs/killlog";
        fname_operspylog = "logs/operspylog";
        #fname_ioerrorlog = "logs/ioerror";
};

/* class {}: contain information about classes for users (OLD Y:) */
class "users" {
        /* class name must go above */

        /* ping time: how often a client must reply to a PING from the
         * server before they are dropped.
         */
        ping_time = 2 minutes;

        /* number per ident: the number of users per user@host networkwide
         * allowed to connect.  Unidented connections are classified as
         * the same ident.
         */
        number_per_ident = 2;

        /* number per ip: the number of local users per host allowed */
        number_per_ip = 3;

        /* number per ip global: the number of network wide connections
         * per host allowed for a user, including connections to the
         * local server.
         */
        number_per_ip_global = 5;

        /* cidr_ipv4_bitlen:  Limits numbers of connections from a subnet size
         */
        cidr_ipv4_bitlen = 24;

        /* cidr_ipv6_bitlen:  Limits numbers of connections from a subnet size
         * the following example makes the subnet /64 this is useful
         * for IPv6 connections in particular
         */
        cidr_ipv6_bitlen = 64;

        /* number_per_cidr:  Number of connections to allow from a subnet of the
         * size given in cidr_ipv4_bitlen/cidr_ipv6_bitlen.
         * 4 seems to be a good default to me.
         */
        number_per_cidr = 4;

        /* max number: the maximum number of users allowed in this class */
        max_number = 100;

        /* sendq: the amount of data allowed in a clients queue before
         * they are dropped.
         */
        sendq = 100 kbytes;
};

class "restricted" {
        ping_time = 1 minute 30 seconds;
        number_per_ip = 1;
        max_number = 100;
        sendq = 60kb;
};

class "opers" {
        ping_time = 5 minutes;
        number_per_ip = 10;
        max_number = 100;
        sendq = 100kbytes;
};

class "server" {
        ping_time = 5 minutes;

        /* connectfreq: only used in server classes.  specifies the delay
         * between autoconnecting to servers.
         */
        connectfreq = 5 minutes;

        /* max number: the amount of servers to autoconnect to.  if the number
         * of servers in the class is or exceeds this, no more servers in the
         * class are autoconnected.  oper initiated connects are unaffected.
         * this should usually be set to either 0 or 1.  (autoconnecting from
         * hubs to leaves may cause leaves to function as hubs by having
         * multiple servers connected to them.)
         */
        max_number = 1;

        /* sendq: servers need a higher sendq as they are sent more data */
        sendq = 2 megabytes;
};

/* listen {}: contain information about the ports ircd listens on (OLD P:) */
listen {
        /* defer_accept: wait for clients to send IRC handshake data before
         * accepting them.  if you intend to use software which depends on the
         * server replying first, such as BOPM, you should disable this feature.
         * otherwise, you probably want to leave it on.
         */
        defer_accept = yes;

        /* port: the specific port to listen on.  if no host is specified
         * before, it will listen on all available IPs.
         *
         * sslport: the specific port to listen ssl connections on. if no
         * host is specified before, it will listen on all available IPs.
         *
         * ports are seperated via a comma, a range may be specified using ".."
         */

        /* port: listen on all available IPs, ports 5000 and 6665 to 6669 */
        port = 5000, 6665 .. 6669;

        /* sslport: listen for ssl connections on all available IPs, port 6697 */
        sslport = 6697;

        /* host: set a specific IP/host the ports after the line will listen
         * on.  This may be ipv4 or ipv6.
         */
        host = "192.0.2.6";
        port = 7000, 7001;
        sslport = 9000, 9001;

        host = "2001:db8:2::6";
        port = 7002;
        sslport = 9002;

        /* wsock: listeners defined with this option enabled will be websocket listeners,
         * and will not accept normal clients.
         */
        wsock = yes;
        sslport = 9999;
};

/* auth {}: allow users to connect to the ircd (OLD I:) */
auth {
        /* user: the user@host allowed to connect.  Multiple IPv4/IPv6 user
         * lines are permitted per auth block.  This is matched against the
         * hostname and IP address (using :: shortening for IPv6 and
         * prepending a 0 if it starts with a colon) and can also use CIDR
         * masks.
         */
        user = "*@198.51.100.0/24";
        user = "*test@2001:db8:1:*";

        /* auth_user: This allows specifying a username:password instead of
         * just a password in PASS, so that a fixed user@host is not
         * necessary for a specific auth{} block.
         */
        #auth_user = "SomeUser";

        /* password: an optional password that is required to use this block.
         * By default this is not encrypted, specify the flag "encrypted" in
         * flags = ...; below if it is.
         */
        password = "letmein";

        /* spoof: fake the users user@host to be be this.  You may either
         * specify a host or a user@host to spoof to.  This is free-form,
         * just do everyone a favour and dont abuse it. (OLD I: = flag)
         */
        spoof = "I.still.hate.packets";

        /* Possible flags in auth:
         *
         * encrypted                  | password is encrypted with mkpasswd
         * spoof_notice               | give a notice when spoofing hosts
         * exceed_limit (old > flag)  | allow user to exceed class user limits
         * kline_exempt (old ^ flag)  | exempt this user from k/g/xlines,
         *                            | dnsbls, and proxies
         * dnsbl_exempt               | exempt this user from dnsbls
         * proxy_exempt               | exempt this user from proxies
         * spambot_exempt             | exempt this user from spambot checks
         * shide_exempt               | exempt this user from serverhiding
         * jupe_exempt                | exempt this user from generating
         *                              warnings joining juped channels
         * resv_exempt                | exempt this user from resvs
         * flood_exempt               | exempt this user from flood limits
         *                                     USE WITH CAUTION.
         * no_tilde     (old - flag)  | don't prefix ~ to username if no ident
         * need_ident   (old + flag)  | require ident for user in this class
         * need_ssl                   | require SSL/TLS for user in this class
         * need_sasl                  | require SASL id for user in this class
         * extend_chans               | allow this user to join more channels than normal
         * kline_spoof_ip             | if this block has a spoof host, klines match only
         *                            | the spoof and not the underlying IP
         */
        flags = kline_exempt, exceed_limit;

        /* class: the class the user is placed in */
        class = "opers";
};

auth {
        /* redirect: the server and port to redirect a user to.  A user does
         * not have to obey the redirection, the ircd just suggests to them
         * an alternative server.
         */
        redirserv = "irc.example.net";
        redirport = 6667;

        user = "*.example.com";

        /* class: a class is required even though it is not used */
        class = "users";
};

auth {
        user = "*@*";
        class = "users";
};

/* privset{}: defines operator privilege sets. */
privset "local_op" {
        /* privs: controls the activities and commands an oper is
         * allowed to do on the server
         *
         * Available options:
         *
         * oper:general:         enable most general oper privileges that came
         *                       with +o in older releases
         * auspex:oper:          allows the oper to see through oper hiding
         * auspex:umodes:        allows viewing other users' modes
         * auspex:cmodes:        shows privileged cmodes
         * auspex:hostname:      shows hidden hostnames/ips
         * oper:privs:           allows /stats o/O and seeing privset in /whois
         * oper:testline:        allows /testline and /testgecos
         * oper:local_kill:      allows local users to be /KILL'd
         * oper:global_kill:     allows local and remote users to be /KILL'd
         * oper:routing:         allows remote SQUIT and CONNECT
         * oper:kline:           allows KLINE and DLINE
         * oper:unkline:         allows UNKLINE and UNDLINE
         * snomask:nick_changes: allows oper to see nickchanges via snomask +n
         * oper:rehash:          allows oper to REHASH config
         * oper:die:             allows DIE and RESTART
         * oper:admin:           gives admin privileges.  admins
         *                       may (un)load modules and see various
         *                       additional information.
         * oper:hidden_admin:    gives admin privileges except
         *                       will not have the admin lines in
         *                       whois.
         * oper:xline:           allows use of /quote xline/unxline
         * oper:resv:            allows /quote resv/unresv
         * oper:cmodes:          allows cmode +LP
         * oper:operwall:        allows the oper to send/receive operwalls
         * oper:spy:             allows 'operspy' features to see through +s
         *                       channels etc. see /quote help operspy
         * oper:hidden:          hides the oper from /stats p
         * oper:remoteban:       allows remote kline etc
         * oper:mass_notice:     allows sending wallops and mass notices
         * oper:grant:           allows using the GRANT command
         */
        privs = oper:general, auspex:oper, oper:privs, oper:testline, oper:local_kill, oper:operwall;
};

privset "server_bot" {
        /* extends: a privset to inherit in this privset */
        extends = "local_op";
        privs = oper:kline, oper:remoteban, snomask:nick_changes;
};

privset "global_op" {
        extends = "local_op";
        privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
                oper:resv, oper:cmodes, oper:mass_notice, oper:remoteban;
};

privset "admin" {
        extends = "global_op";
        privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:grant;
};

/* operator {}: defines ircd operators. (OLD O:) */
operator "god" {
        /* name: the name of the oper must go above */

        /* user: the user@host required for this operator.  CIDR *is*
         * supported now. auth{} spoofs work here, other spoofs do not.
         * multiple user="" lines are supported.
         */
        user = "*god@*";
        user = "*@127.0.0.1";

        /* password: the password required to oper.  Unless ~encrypted is
         * contained in flags = ...; this will need to be encrypted using
         * mkpasswd, MD5 is supported
         */
        password = "etcnjl8juSU1E";

        /* rsa key: the public key for this oper when using Challenge.
         * A password should not be defined when this is used, see
         * doc/challenge.txt for more information.
         */
        #rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";

        /* fingerprint: if specified, the oper's client certificate
         * fingerprint will be checked against the specified fingerprint
         * below.
         */
        #fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";

        /* umodes: the specific umodes this oper gets when they oper.
         * If this is specified an oper will not be given oper_umodes
         * These are described above oper_only_umodes in general {};
         */
        #umodes = locops, servnotice, operwall, wallop;

        /* snomask: specific server notice mask on oper up.
         * If this is specified an oper will not be given oper_snomask.
         */
        snomask = "+Zbfkrsuy";

        /* flags: misc options for the operator.  You may prefix an option
         * with ~ to disable it, e.g. ~encrypted.
         *
         * Default flags are encrypted.
         *
         * Available options:
         *
         * encrypted:    the password above is encrypted [DEFAULT]
         * need_ssl:     must be using SSL/TLS to oper up
         */
        flags = encrypted;

        /* privset: privileges set to grant */
        privset = "admin";
};

/* connect {}: controls servers we connect to (OLD C:, N:, H:, L:) */
connect "irc.uplink.com" {
        /* the name must go above */

        /* host: the host or IP to connect to.  If a hostname is used it
         * must match the reverse dns of the server.
         */
        host = "203.0.113.3";

        /* vhost: the host or IP to bind to for this connection.  If this
         * is not specified, the default vhost (in serverinfo {}) is used.
         */
        #vhost = "192.0.2.131";

        /* passwords: the passwords we send (OLD C:) and accept (OLD N:).
         * The remote server will have these passwords reversed.
         */
        send_password = "password";
        accept_password = "anotherpassword";

        /* fingerprint: if flags = ssl is specified, the server's
         * certificate fingerprint will be checked against the fingerprint
         * specified below. required if using flags = ssl.
         */
        #fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";

        /* port: the port to connect to this server on */
        port = 6666;

        /* hub mask: the mask of servers that this server may hub. Multiple
         * entries are permitted
         */
        hub_mask = "*";

        /* leaf mask: the mask of servers this server may not hub.  Multiple
         * entries are permitted.  Useful for forbidding EU -> US -> EU routes.
         */
        #leaf_mask = "*.uk";

        /* class: the class this server is in */
        class = "server";

        /* flags: controls special options for this server
         * encrypted    - marks the accept_password as being crypt()'d
         * autoconn     - automatically connect to this server
         * compressed   - compress traffic via ziplinks
         * topicburst   - burst topics between servers
         * ssl          - ssl/tls encrypted server connections
         * no-export    - marks the link as a no-export link (not exported to other links)
         */
        flags = compressed, topicburst;
};

connect "ipv6.lame.server" {
        host = "192.0.2.1";
        host = "2001:db8:3::8";
        send_password = "password";
        accept_password = "password";
        port = 6666;

        /* aftype: controls whether the outgoing connection uses "ipv4" or "ipv6".
         * Default is to try either at random.
         */
        aftype = ipv6;
        class = "server";
};

connect "ssl.uplink.com" {
        /* Example of ssl server-to-server connection, ssl flag doesn't need
         * compressed flag, 'cause it uses own compression
         */
        host = "203.0.113.129";
        send_password = "password";
        accept_password = "anotherpassword";
        port = 9999;
        hub_mask = "*";
        class = "server";
        flags = ssl, topicburst;
};

/* cluster {}; servers that we propagate things to automatically.
 * NOTE: This does NOT grant them privileges to apply anything locally,
 *       you must add a seperate shared block for that.  Clustering will
 *       only be done for actions by LOCAL opers, that arent directed
 *       remotely.
 */
cluster {
        /* name: the server to share with, this can be a wildcard and may be
         * stacked.
         */
        /* flags: list of what to share, all the name lines above this (up
         * until another flags entry) will receive these flags.
         *
         *    kline   - share perm klines
         *    tkline  - share temp klines
         *    unkline - share unklines
         *    locops  - share locops
         *    xline   - share perm xlines
         *    txline  - share temp xlines
         *    unxline - share unxlines
         *    resv    - share perm resvs
         *    tresv   - share temp resvs
         *    unresv  - share unresvs
         *    all     - share all of the above
         */

        /* share klines/unklines/xlines with *.lan */
        name = "*.lan";
        flags = kline, unkline, xline;

        /* share locops with irc.ircd-ratbox.org and ircd.ircd-ratbox.org */
        name = "irc.ircd-ratbox.org";
        name = "ircd.ircd-ratbox.org";
        flags = locops;
};

/* service{}: privileged servers (services). These servers have extra
 * privileges such as setting login names on users and introducing clients
 * with umode +S (unkickable, hide channels, etc). This does not allow them
 * to set bans, you need a separate shared{} for that.
 * Do not place normal servers here.
 * There may be only one service{} block.
 */
service {
        /* name: the server name. These may be stacked. */
        name = "services.int";
};

/* shared {}: users that are allowed to place remote bans on our server.
 * NOTE: These are ordered top down.  The first one the user@host and server
 *       matches will be used.  Their access will then be decided on that
 *       block and will not fall back to another block that matches.
 */
shared {
        /* oper: the user@host and server the user must be on to set klines.
         * The first field must be a user@host, the second field is an
         * optional server.  These may be stacked.
         */
        /* flags: list of what to allow them to place, all the oper lines
         * above this (up until another flags entry) will receive these
         * flags.  This *must* be present.
         *
         *    kline   - allow setting perm/temp klines
         *    tkline  - allow setting temp klines
         *    unkline - allow removing klines
         *    xline   - allow setting perm/temp xlines
         *    txline  - allow setting temp xlines
         *    unxline - allow removing xlines
         *    resv    - allow setting perm/temp resvs
         *    tresv   - allow setting temp resvs
         *    unresv  - allow removing xlines
         *    all     - allow oper/server to do all of above.
         *    locops  - allow locops - only used for servers who cluster
         *    rehash  - allow rehashing
         *    dline   - allow setting perm/temp dlines
         *    tdline  - allow setting temp dlines
         *    undline - allow removing dlines
         *    grant   - allow granting operator status
         *    die     - allow remote DIE/RESTART
         *    module  - allow remote module commands
         *    none    - disallow everything
         */

        /* allow flame@*.leeh.co.uk on server irc.ircd-ratbox.org and
         * allow leeh@*.leeh.co.uk on server ircd.ircd-ratbox.org to kline
         */
        oper = "flame@*.leeh.co.uk", "irc.ircd-ratbox.org";
        oper = "leeh@*.leeh.co.uk", "ircd.ircd-ratbox.org";
        flags = kline;

        /* you may forbid certain opers/servers from doing anything */
        oper = "irc@vanity.oper", "*";
        oper = "*@*", "irc.vanity.server";
        oper = "irc@another.vanity.oper", "bigger.vanity.server";
        flags = none;

        /* or allow everyone to place temp klines */
        oper = "*@*";
        flags = tkline;
};

/* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */
exempt {
        ip = "192.0.2.0/24";

        /* these may be stacked */
        ip = "127.0.0.1";
};

/* The channel block contains options pertaining to channels */
channel {
        /* invex: Enable/disable channel mode +I, a n!u@h list of masks
         * that can join a +i channel without an invite.
         */
        use_invex = yes;

        /* except: Enable/disable channel mode +e, a n!u@h list of masks
         * that can join a channel through a ban (+b).
         */
        use_except = yes;

        /* forward: Enable/disable channel mode +f, a channel to forward
         * users to if they can't join because of +i etc. Also enables ban
         * forwarding, <mask>$<channel>.
         */
        use_forward = yes;

        /* knock: Allows users to request an invite to a channel that
         * is locked somehow (+ikl).  If the channel is +p or you are banned
         * the knock will not be sent.
         */
        use_knock = yes;

        /* knock delay: The amount of time a user must wait between issuing
         * the knock command.
         */
        knock_delay = 5 minutes;

        /* knock channel delay: How often a knock to any specific channel
         * is permitted, regardless of the user sending the knock.
         */
        knock_delay_channel = 1 minute;

        /* max chans: The maximum number of channels a user can join/be on. */
        max_chans_per_user = 15;

        /* max chans (large): The extended maximum number of channels a user can join. */
        max_chans_per_user_large = 60;

        /* max bans: maximum number of +b/e/I/q modes in a channel */
        max_bans = 100;

        /* max bans: maximum number of +b/e/I/q modes in a +L channel */
        max_bans_large = 500;

        /* splitcode: split users, split servers and either no join on split
         * or no create on split must be enabled for split checking.
         * splitmode will be entered on either split users or split servers
         * dropping below the limit.
         *
         * you may force splitmode to be permanent by /quote set splitmode on
         */

        /* split users: when the usercount is lower than this level, consider
         * ourselves split.  this must be set for automatic splitmode
         */
        default_split_user_count = 0;

        /* split servers: when the amount of servers that have acknowledged
         * theyve finished bursting is lower than this, consider ourselves
         * split.  this must be set for automatic splitmode
         */
        default_split_server_count = 0;

        /* split: no create: disallow users creating channels on split */
        no_create_on_split = no;

        /* split: no join: disallow users joining channels at all on a split */
        no_join_on_split = no;

        /* burst topicwho: when bursting topics, also burst the topic setter */
        burst_topicwho = yes;

        /* kick on split riding: kick users riding splits to join +i or +k
         * channels. more precisely, if a bursting server sends an SJOIN
         * for a channel with a lower TS with either a +i mode or a +k
         * mode with a different key, kick all local users.
         *
         * note: this does not take +r, +b, +e and +I into account.
         */
        kick_on_split_riding = no;

        /* only ascii channels: disable local users joining channels
         * containing characters outside the range 33-126 (non-printable
         * or non-ASCII).
         */
        only_ascii_channels = no;

        /* resv_forcepart: force any local users to part a channel
         * when a RESV is issued.
         */
        resv_forcepart = yes;

        /* channel target change: restrict how many channels users can
         * message per unit of time. IRC operators, channel operators and
         * voiced users are exempt.
         */
        channel_target_change = yes;

        /* disable local channels: if yes, then local channels will not be
         * supported.
         */
        disable_local_channels = no;

        /* autochanmodes: the channel modes that should be automatically set
         * when a channel is created.
         */
        autochanmodes = "+nt";

        /* displayed_usercount: the minimum amount of users on a channel before it
         * is displayed in LIST.  this parameter can be overridden using ELIST parameters,
         * such as LIST >0.
         */
        displayed_usercount = 3;

        /* strip_topic_colors: whether or not color codes in TOPIC should be stripped. */
        strip_topic_colors = no;

        /* opmod_send_statusmsg: format messages sent to ops due to +z
         * as PRIVMSG @#channel when sent to clients.
         */
        opmod_send_statusmsg = no;
};


/* The serverhide block contains the options regarding serverhiding */
serverhide {
        /* flatten links: this option will hide various routing information
         * and make all servers in /links appear that they are linked to
         * this server.
         */
        flatten_links = no;

        /* links delay: how long to wait before showing splits or new
         * servers in a flattened /links output.
         */
        links_delay = 5 minutes;

        /* hidden: hide this server from a /links output on servers with
         * flatten_links enabled.  this allows hub servers to be hidden etc.
         */
        hidden = no;

        /* disable hidden: prevent servers hiding themselves from a
         * /links ouput.
         */
        disable_hidden = no;
};

/* These are the blacklist settings.
 * You can have multiple combinations of host and rejection reasons.
 * They are used in pairs of one host/rejection reason.
 *
 * These settings should be adequate for most networks.
 *
 * Word to the wise: Do not use blacklists like SPEWS for blocking IRC
 * connections.
 *
 * As of charybdis 2.2, you can do some keyword substitution on the rejection
 * reason. The available keyword substitutions are:
 *
 *   ${ip}           - the user's IP
 *   ${host}         - the user's canonical hostname
 *   ${dnsbl-host}   - the dnsbl hostname the lookup was done against
 *   ${nick}         - the user's nickname
 *   ${network-name} - the name of the network
 *
 * As of charybdis 3.4, a type parameter is supported, which specifies the
 * address families the blacklist supports. IPv4 and IPv6 are supported.
 * IPv4 is currently the default as few blacklists support IPv6 operation
 * as of this writing.
 *
 * As of charybdis 3.5, a matches parameter is allowed; if omitted, any result
 * is considered a match. If included, a comma-separated list of *quoted*
 * strings is allowed to match queries. They may be of the format "0" to "255"
 * to match the final octet (e.g. 127.0.0.1) or "127.x.y.z" to explicitly match
 * an A record. The blacklist is only applied if it matches anything in the
 * list. You may freely mix full IP's and final octets.
 *
 * Consult your blacklist provider for the meaning of these parameters; they
 * are usually used to denote different ban types.
 */
blacklist {
        host = "rbl.efnetrbl.org";
        type = ipv4;
        reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";

        /* Example of a blacklist that supports both IPv4 and IPv6 and using matches */
#       host = "foobl.blacklist.invalid";
#       matches = "4", "6", "127.0.0.10";
#       type = ipv4, ipv6;
#       reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect";
};

/* These are the OPM settings.
 * This is similar to the functionality provided by BOPM. It will scan incoming
 * connections for open proxies by connecting to clients and attempting several
 * different open proxy handshakes. If they connect back to us (via a dedicated
 * listening port), and send back the data we send them, they are considered
 * an open proxy. For politeness reasons (users may be confused by the incoming
 * connection attempts if they are logging incoming connections), the user is
 * notified upon connect if they are being scanned.
 *
 * WARNING:
 * These settings are considered experimental. Only the most common proxy types
 * are checked for (Charybdis is immune from POST and GET proxies). If you are
 * not comfortable with experimental code, do not use this feature.
 */
#opm {
        /* IPv4 address to listen on. This must be a publicly facing IP address
         * to be effective.
         * If omitted, it defaults to serverinfo::vhost.
         */
        #listen_ipv4 = "127.0.0.1";

        /* IPv4 port to listen on.
         * This should not be the same as any existing listeners.
         */
        #port_v4 = 32000;

        /* IPv6 address to listen on. This must be a publicly facing IP address
         * to be effective.
         * If omitted, it defaults to serverinfo::vhost6.
         */
        #listen_ipv6 = "::1";

        /* IPv6 port to listen on.
         * This should not be the same as any existing listeners.
         */
        #port_v6 = 32000;

        /* You can also set the listen_port directive which will set both the
         * IPv4 and IPv6 ports at once.
         */
        #listen_port = 32000;

        /* This sets the timeout in seconds before ending open proxy scans.
         * Values less than 1 or greater than 60 are ignored.
         * It is advisable to keep it as short as feasible, so clients do not
         * get held up by excessively long scan times.
         */
        #timeout = 5;

        /* These are the ports to scan for SOCKS4 proxies on. They may overlap
         * with other scan types. Sensible defaults are given below.
         */
        #socks4_ports = 80, 443, 1080, 8000, 8080, 10800;

        /* These are the ports to scan for SOCKS5 proxies on. They may overlap
         * with other scan types. Sensible defaults are given below.
         */
        #socks5_ports = 80, 443, 1080, 8000, 8080, 10800;

        /* These are the ports to scan for HTTP CONNECT proxies on (plaintext).
         * They may overlap with other scan types. Sensible defaults are given
         * below.
         */
        #httpconnect_ports = 80, 8080, 8000;

        /* These are the ports to scan for HTTPS CONNECT proxies on (SSL).
         * They may overlap with other scan types. Sensible defaults are given
         * below.
         */
        #httpsconnect_ports = 443, 4443;
#};

/*
 * Alias blocks allow you to define custom commands. (Old m_sshortcut.c)
 * They send PRIVMSG to the given target. A real command takes
 * precedence above an alias.
 */
alias "NickServ" {
        /* the name must go above */

        /* target: the target nick (must be a network service) or
         * user@server (cannot be this server, only opers can use
         * user starting with "opers" reliably, interpreted on the target
         * server only so you may need to use nick@server instead)
         */
        target = "NickServ";
};

alias "ChanServ" {
        target = "ChanServ";
};

alias "OperServ" {
        target = "OperServ";
};

alias "MemoServ" {
        target = "MemoServ";
};

alias "NS" {
        target = "NickServ";
};

alias "CS" {
        target = "ChanServ";
};

alias "OS" {
        target = "OperServ";
};

alias "MS" {
        target = "MemoServ";
};

/* The general block contains many of the options that were once compiled
 * in options in config.h.  The general block is read at start time.
 */
general {
        /* hide error messages: defines whether error messages from
         * servers that are not deemed fully safe are hidden or not.
         * These can sometimes contain IPs and can have an adverse
         * effect on server ip hiding.  Set to:
         *   yes:   hide from opers and admin
         *   opers: hide from opers only
         *   no:    do not hide error messages
         * Admins on other servers count as opers.
         */
        hide_error_messages = opers;

        /* hide spoof ips: hide the real ips of auth{} spoofed users
         * If disabled, local opers can see them.
         * Dynamic spoofs (e.g. set by services) are unaffected by this;
         * any oper (local and remote) can see the real ip.
         */
        hide_spoof_ips = yes;

        /* default umodes: umodes to set upon connection
         * If you have enabled the ip_cloaking extension, and you wish for
         * incoming clients to be set +h or +x upon connection, add +h or +x to the umode
         * string below.
         */
        default_umodes = "+i";

        /* default operstring: defines the default oper response
         * in /whois queries, eg "is an IRC Operator".
         * After startup use /quote set operstring to change.
         */
        default_operstring = "is an IRC Operator";

        /* default adminstring: defines the default admin response
         * in /whois queries, eg "is a Server Administrator".
         * After startup use /quote set adminstring to change.
         */
        default_adminstring = "is a Server Administrator";

        /* servicestring: defines the response for opered services (+S)
         * in /whois queries, eg "is a Network Service".
         * This is updated on rehash.
         */
        servicestring = "is a Network Service";

        /*
         * Nick of the network's SASL agent. Used to check whether services are here,
         * SASL credentials are only sent to its server. Needs to be a service.
         *
         * Defaults to SaslServ if unspecified.
         */
        sasl_service = "SaslServ";

        /* disable fake channels: disable local users joining fake versions
         * of channels, eg #foo^B^B.  Disables bold, mirc colour, reverse,
         * underline and hard space.  (ASCII 2, 3, 22, 31, 160 respectively).
         */
        disable_fake_channels = no;

        /* tkline_expire_notices: give a notice to opers when a tkline
         * expires
         */
        tkline_expire_notices = no;

        /* floodcount: the default value of floodcount that is configurable
         * via /quote set floodcount.  This is the amount of lines a user
         * may send to any other user/channel in one second.
         */
        default_floodcount = 10;

        /* failed oper notice: send a notice to all opers on the server when
         * someone tries to OPER and uses the wrong password, host or ident.
         */
        failed_oper_notice = yes;

        /* dots in ident: the amount of '.' characters permitted in an ident
         * reply before the user is rejected.
         */
        dots_in_ident = 2;

        /* min nonwildcard: the minimum non wildcard characters in k/d/g lines
         * placed via the server.  klines hand placed are exempt from limits.
         * wildcard chars: '.' '*' '?' '@'
         */
        min_nonwildcard = 4;

        /* min nonwildcard simple: the minimum non wildcard characters in
         * xlines/resvs placed via the server.
         * wildcard chars: '*' '?'
         */
        min_nonwildcard_simple = 3;

        /* max accept: maximum allowed /accept's for +g usermode */
        max_accept = 20;

        /* max monitor: the maximum amount of nicknames a client may have in
         * their monitor (server-side notify) list.
         */
        max_monitor = 100;

        /* nick flood: enable the nickflood control code */
        anti_nick_flood = yes;

        /* nick flood: the nick changes allowed in the specified period */
        max_nick_time = 20 seconds;
        max_nick_changes = 5;

        /* anti spam time: the minimum time a user must be connected before
         * custom quit messages are allowed.
         */
        anti_spam_exit_message_time = 5 minutes;

        /* ts delta: the time delta allowed between server clocks before
         * a warning is given, or before the link is dropped.  all servers
         * should run ntpdate/rdate to keep clocks in sync
         */
        ts_warn_delta = 30 seconds;
        ts_max_delta = 5 minutes;

        /* client exit: prepend a user's quit message with "Quit: " */
        client_exit = yes;

        /* collision fnc: change user's nick to their UID instead of
         * killing them, if possible. This setting only applies to nick
         * collisions detected on this server. Only enable this if
         * all servers on the network allow remote nicks to start with
         * a digit.
         */
        collision_fnc = yes;

        /* resv fnc: change a user's nick to a nick they have recently used
         * (or their UID, if no such nick can be found) when a resv matching
         * them is set by services. Only enable this if all servers on the
         * network allow remote nicks to start with a digit.
         */
        resv_fnc = yes;

        /* global snotices: send out certain snotices (most +b, +f, +y,
         * some +s) to other servers via ENCAP SNOTE. Received SNOTEs are
         * displayed unconditionally.
         */
        global_snotices = yes;

        /* dline reason: show the user the dline reason when they connect
         * and are dlined.
         */
        dline_with_reason = yes;

        /* kline reason: show the user the reason why they are k/dlined
         * on exit.  may give away who set k/dline when set via tcm.
         */
        kline_with_reason = yes;

        /* tkline duration: when showing users their k/dline reason (see
         * kline_with_reason), don't add "Temporary K-line 123 min."
         */
        hide_tkdline_duration = no;

        /* kline reason: make the users quit message on channels this
         * reason instead of the oper's reason.
         */
        kline_reason = "Connection closed";

        /* identify to services via server password
         * if auth{} block had no password but the user specified a
         * server password anyway, send a PRIVMSG to <identify_service>
         * with as text <identify_command> <password>.
         */
        identify_service = "NickServ@services.int";
        identify_command = "IDENTIFY";

        /* non redundant klines: flag and ignore redundant klines */
        non_redundant_klines = yes;

        /* warn no nline: warn opers about servers that try to connect but
         * we dont have a connect {} block for.  Twits with misconfigured
         * servers can get really annoying with this enabled.
         */
        warn_no_nline = yes;

        /* use propagated bans: KLINE, XLINE and RESV set fully propagated bans.
         * That means the bans are part of the netburst and restarted/split
         * servers will get them, but they will not apply to 3.2 and older
         * servers at all.
         */
        use_propagated_bans = yes;

        /* stats e disabled: disable stats e.  useful if server ips are
         * exempted and you dont want them listing on irc.
         */
        stats_e_disabled = no;

        /* stats c oper only: make stats c (connect {}) oper only */
        stats_c_oper_only = no;

        /* stats h oper only: make stats h (hub_mask/leaf_mask) oper only */
        stats_h_oper_only = no;

        /* stats y oper only: make stats y (class {}) oper only */
        stats_y_oper_only = no;

        /* stats o oper only: make stats o (opers) oper only */
        stats_o_oper_only = yes;

        /* stats P oper only: make stats P (ports) oper only
         * NOTE: users doing stats P will never be given the ips that the
         * server listens on, simply the ports.
         */
        stats_P_oper_only = no;

        /* stats i oper only: make stats i (auth {}) oper only. set to:
         *     yes:    show users no auth blocks, made oper only.
         *     masked: show users first matching auth block
         *     no:     show users all auth blocks.
         */
        stats_i_oper_only = masked;

        /* stats k/K oper only: make stats k/K (klines) oper only.  set to:
         *     yes:    show users no auth blocks, made oper only
         *     masked: show users first matching auth block
         *     no:     show users all auth blocks.
         */
        stats_k_oper_only = masked;

        /* map oper only: make /map oper only */
        map_oper_only = no;

        /* operspy admin only: make operspy notices to +Z admin only */
        operspy_admin_only = no;

        /* operspy dont care user info: treat /who mask as if there was
         * an '!' always; do not log or server notice about operspy
         * /who mask, /masktrace and /scan. channel information is still
         * protected. */
        operspy_dont_care_user_info = no;

        /* caller id wait: time between notifying a +g user that somebody
         * is messaging them.
         */
        caller_id_wait = 1 minute;

        /* pace wait simple: time between use of less intensive commands
         * (HELP, remote WHOIS, WHOWAS)
         */
        pace_wait_simple = 1 second;

        /* pace wait: time between more intensive commands
         * (ADMIN, INFO, LIST, LUSERS, MOTD, STATS, VERSION)
         */
        pace_wait = 10 seconds;

        /* short motd: send clients a notice telling them to read the motd
         * instead of forcing a motd to clients who may simply ignore it.
         */
        short_motd = no;

        /* ping cookies: require clients to respond exactly to a ping command,
         * can help block certain types of drones and FTP PASV mode spoofing.
         */
        ping_cookie = no;

        /* connect timeout: sets how long we should wait for a connection
         * request to succeed
         */
        connect_timeout = 30 seconds;

        /* ident timeout: Amount of time (in seconds) that the IRCd will
         * wait for a user to respond to an ident request.
         */
        default_ident_timeout = 5;

        /* disable auth: disables identd checking */
        disable_auth = no;

        /* no oper flood: increase flood limits for opers. */
        no_oper_flood = yes;

        /* REMOVE ME.  The following line checks you've been reading. */
        havent_read_conf = yes;

        /* max targets: the maximum amount of targets in a single
         * PRIVMSG/NOTICE.  set to 999 NOT 0 for unlimited.
         */
        max_targets = 4;

        /* post-registration delay: wait this long before processing commands from a newly
         * registered user. Used to allow network utility bots to perform any actions
         * (such as host changes or proxy scanning) before the user can join channels.
         */
        post_registration_delay = 2 seconds;

        /* use_whois_actually: send clients requesting a whois a numeric
         * giving the real IP of non-spoofed clients to prevent DNS abuse.
         */
        use_whois_actually = yes;

        /* usermodes configurable: a list of usermodes for the options below
         *
         * +g - callerid   - Server Side Ignore
         * +D - deaf       - Don't see channel messages
         * +i - invisible  - Not shown in NAMES or WHO unless you share a
         *                   a channel
         * +l - locops     - See LOCOPS messages
         * +Q - noforward  - Unaffected by channel forwarding
         * +R - regonlymsg - No messages from unindentified
         * +s - servnotice - See server notices
         * +w - wallop     - See oper and server generated WALLOPS
         * +z - operwall   - See operwalls
         */

        /* oper only umodes: usermodes only opers may set */
        oper_only_umodes = operwall, locops, servnotice;

        /* oper umodes: default usermodes opers get when they /oper */
        oper_umodes = locops, servnotice, operwall, wallop;

        /* oper snomask: default snomask opers get when they /oper,
         * provided they have umode +s set */
        oper_snomask = "+s";

        /* compression level: level of compression for compressed links between
         * servers.
         *
         * values are between: 1 (least compression, fastest)
         *                and: 9 (most compression, slowest).
         */
        #compression_level = 6;

        /* burst_away: This enables bursting away messages to servers.
         * With this disabled, we will only propogate AWAY messages
         * as users send them, but never burst them.  Be warned though
         * enabling this could increase the size of a burst significantly
         * for a large network, like EFnet.
         */
        burst_away = yes;

        /* nick delay: This locks nicks of split clients for the given time
         * or until a remote client uses the nick. This significantly
         * reduces nick collisions on short splits but it can be annoying.
         * To make things as fair as possible, this should be the same on
         * all servers. If you enable this, the suggested value is 15 minutes.
         */
        nick_delay = 0 seconds;

        /* reject time: the amount of rejections through klines/dlines etc
         * allowed in the given time before the rejection is cached and
         * a pseudo temp dline is placed
         */
        reject_ban_time = 1 minute;
        reject_after_count = 3;

        /* reject duration: the amount of time to cache the rejection */
        reject_duration = 5 minutes;

        /* throttle_duration: Amount of time that throttling will be applied to an IP
         * address.
         */
        throttle_duration = 60;

        /* throttle_count: Number of connections within throttle_duration that it takes
         * for throttling to take effect */
        throttle_count = 4;

        /* client flood_max_lines: maximum number of lines in a clients queue before
         * they are dropped for flooding.
         */
        client_flood_max_lines = 20;

        /* Flood control settings. DO NOT CHANGE THESE without extensive discussion
         * and testing by someone who knows exactly what they do.
         *
         * These settings replicate charybdis-3.3 behaviour.
         */
        client_flood_burst_rate = 40;
        client_flood_burst_max = 5;
        client_flood_message_time = 1;
        client_flood_message_num = 2;

        /* max_ratelimit_tokens: the maximum number of ratelimit tokens that one
         * user can accumulate. This attempts to limit the amount of outbound
         * bandwidth one user can consume.  Do not change unless you know what
         * you're doing.
         */
        max_ratelimit_tokens = 30;

        /* away_interval: the minimum interval between AWAY commands. One
         * additional AWAY command is allowed, and only marking as away
         * counts.
         */
        away_interval = 30;

        /* certfp_method: the method that should be used for computing certificate fingerprints.
         * Acceptable options are sha1, sha256, spki_sha256, sha512 and spki_sha512.  Networks
         * running versions of charybdis prior to charybdis 3.5 MUST use sha1 for certfp_method.
         *
         * The spki_* variants operate on the SubjectPublicKeyInfo of the certificate, which does
         * not change unless the private key is changed.  This allows the fingerprint to stay
         * constant even if the certificate is reissued.  These fingerprints will be prefixed with
         * "SPKI:SHA2-256:" or "SPKI:SHA2-512:" depending on the hash type.  These fingerprints
         * are not supported on servers running charybdis 3.5.3 or earlier.
         *
         * To generate a fingerprint from a certificate file, please use the mkfingerprint utility
         * program located in the bin/ subdirectory of your IRCd installation. Running it with no
         * arguments will give you a brief usage message; it takes method and filename arguments.
         */
        certfp_method = spki_sha256;

        /* hide_opers_in_whois: if set to YES, then oper status will be hidden in /WHOIS output. */
        hide_opers_in_whois = no;

        /* tls_ciphers_oper_only: show the TLS cipher string in /WHOIS only to opers and self */
        tls_ciphers_oper_only = no;
};

modules {
        /* module path: paths to search for modules specified below and
         * in /modload.
         */
        path = "/usr/local/ircd/modules";
        path = "/usr/local/ircd/modules/autoload";

        /* module: the name of a module to load on startup/rehash */
        #module = "some_module";
};